Network device and configuration

Chapter-03
Switches

Baessa K.

Mettu University
Faculty of Engineering and Technology
Department of Information Technology

May 22, 2019

Baessa K. (Mettu University) 03 Switches May 22, 2019 1 / 118
Lecture Topics : #

1 Switch Configuration Basics

Switch security
Configuring Password Options

2 VLANs
VLAN Basics
Identifying VLANs
VLAN Trunking
Configure VLANs and Trunks
VLAN Trunking Protocol(VTP)

3 Inter VLAN communication

Baessa K. (Mettu University) 03 Switches May 22, 2019 2 / 118

 Switch Configuration Basics

Outline

1 Switch Configuration Basics

Switch security
Configuring Password Options

2 VLANs
VLAN Basics
Identifying VLANs
VLAN Trunking
Configure VLANs and Trunks
VLAN Trunking Protocol(VTP)

3 Inter VLAN communication

Baessa K. (Mettu University) 03 Switches May 22, 2019 3 / 118

 Switch Configuration Basics

Basic Switch configurations I

Baessa K. (Mettu University) 03 Switches May 22, 2019 4 / 118

 Switch Configuration Basics

Basic Switch configurations II

Baessa K. (Mettu University) 03 Switches May 22, 2019 5 / 118

 Switch Configuration Basics

Basic Switch configurations III

Baessa K. (Mettu University) 03 Switches May 22, 2019 6 / 118

 Switch Configuration Basics Switch security

Outline

1 Switch Configuration Basics

Switch security
Configuring Password Options

2 VLANs

3 Inter VLAN communication

Baessa K. (Mettu University) 03 Switches May 22, 2019 7 / 118

 Switch Configuration Basics Switch security

Configuring Switch Security I

Baessa K. (Mettu University) 03 Switches May 22, 2019 8 / 118

 Switch Configuration Basics Configuring Password Options

Outline

1 Switch Configuration Basics

Switch security
Configuring Password Options

2 VLANs

3 Inter VLAN communication

Baessa K. (Mettu University) 03 Switches May 22, 2019 9 / 118

 Switch Configuration Basics Configuring Password Options

Securing Console Access

Baessa K. (Mettu University) 03 Switches May 22, 2019 10 / 118

 Switch Configuration Basics Configuring Password Options

Securing Virtual Terminal Access I

• There are 16 available default Telnet sessions as opposed to the 5

sessions set up for a router.

Baessa K. (Mettu University) 03 Switches May 22, 2019 11 / 118

 Switch Configuration Basics Configuring Password Options

Securing Privileged EXEC Access I

• Always use enable secret for password encryption.

Baessa K. (Mettu University) 03 Switches May 22, 2019 12 / 118

 Switch Configuration Basics Configuring Password Options

Encrypting Switch Passwords I

• You can encrypt all passwords assigned to a switch using the service
password-encryption command.

Baessa K. (Mettu University) 03 Switches May 22, 2019 13 / 118

 Switch Configuration Basics Configuring Password Options

Banners I

• Login Banner

• Message-Of-The-Day (MOTD) Banner

Baessa K. (Mettu University) 03 Switches May 22, 2019 14 / 118

 Switch Configuration Basics Configuring Password Options

Port Security I
• Port security is disabled by default.
• Limit and identify the MAC addresses of the workstations that are
allowed to access the port.
• When secure MAC addresses assigned to a secure port, the port does
not forward packets with source addresses outside the group of
defined addresses.
• Specify a group of valid MAC addresses allowed on a port.
• Or Allow only one MAC address access to the port.
• Specify that the port automatically shuts down if an invalid MAC
address is detected.

Baessa K. (Mettu University) 03 Switches May 22, 2019 15 / 118

 Switch Configuration Basics Configuring Password Options

Port Security II

Secure MAC Address types

1 Static
• Manually specify that a specific MAC address is the ONLY address
allowed to connect to that port.
• They are added to the MAC address table and stored in the running
configuration.
2 Dynamic
• MAC addresses are learned dynamically when a device connects to the
switch.
• They are stored in the address table and are lost when the switch
reloads.
3 Sticky
• Specifies that MAC addresses are:
• Dynamically learned and Added to the MAC address table.
• Stored in the running configuration.

Baessa K. (Mettu University) 03 Switches May 22, 2019 16 / 118

 Switch Configuration Basics Configuring Password Options

Port Security III

Security Violation Modes

• Violations occur when:
• If the maximum number of secure MAC addresses has been added to
the address table
• A workstation whose MAC address is not in the address table attempts
to access the interface.

• Modes:
1 Protect: drop frames – no notify
2 Restrict: drop frames - notify
3 Shutdown: disable port - notify

Baessa K. (Mettu University) 03 Switches May 22, 2019 17 / 118

 Switch Configuration Basics Configuring Password Options

Port Security IV

Default Security Configuration

Baessa K. (Mettu University) 03 Switches May 22, 2019 18 / 118

 Switch Configuration Basics Configuring Password Options

Port Security V

Configure Static Port Security

• ONLY address allowed.
• Add to MAC table and running configuration.

Baessa K. (Mettu University) 03 Switches May 22, 2019 19 / 118

 Switch Configuration Basics Configuring Password Options

Port Security VI

Configure Dynamic Port Security

• Dynamically learned when the device connects.
• Added to MAC table only.

Baessa K. (Mettu University) 03 Switches May 22, 2019 20 / 118

 Switch Configuration Basics Configuring Password Options

Port Security VII

Configure Sticky Port Security

• Dynamically learn MAC addresses.
• Add to MAC table and running configuration

Baessa K. (Mettu University) 03 Switches May 22, 2019 21 / 118

 Switch Configuration Basics Configuring Password Options

Port Security VIII

Verify Port Security Settings

Baessa K. (Mettu University) 03 Switches May 22, 2019 22 / 118

 VLANs

Outline

1 Switch Configuration Basics

Switch security
Configuring Password Options

2 VLANs
VLAN Basics
Identifying VLANs
VLAN Trunking
Configure VLANs and Trunks
VLAN Trunking Protocol(VTP)

3 Inter VLAN communication

Baessa K. (Mettu University) 03 Switches May 22, 2019 23 / 118

 VLANs VLAN Basics

Outline

1 Switch Configuration Basics

2 VLANs
VLAN Basics
Identifying VLANs
VLAN Trunking
Configure VLANs and Trunks
VLAN Trunking Protocol(VTP)

3 Inter VLAN communication

Baessa K. (Mettu University) 03 Switches May 22, 2019 24 / 118

 VLANs VLAN Basics

Basics I

• In flat networks, every broadcast packet transmitted is seen by every

device on the network regardless of whether the device needs to
receive that data or not.

• Host A sending out a broadcast and all ports on all switches forwarding
it–all except the port that originally received it.

Baessa K. (Mettu University) 03 Switches May 22, 2019 25 / 118

 VLANs VLAN Basics

Basics II
• STOP! → Security!
• within the typical layer 2 switched internetwork, all users can see all
devices by default.
• And you can’t stop devices from broadcasting, plus you can’t stop
users from trying to respond to broadcasts.
• There’s hope!

VLAN

Baessa K. (Mettu University) 03 Switches May 22, 2019 26 / 118

 VLANs VLAN Basics

Basics III
• A VLAN is a logical grouping of network users and resources
connected to administratively defined ports on a switch.

Baessa K. (Mettu University) 03 Switches May 22, 2019 27 / 118

 VLANs VLAN Basics

Basics IV

Baessa K. (Mettu University) 03 Switches May 22, 2019 28 / 118

 VLANs VLAN Basics

Basics V
• VLANs provide segmentation
based on broadcast domains.
• VLANs logically segment
switched networks based on the
functions, project teams, or
applications of the organization
regardless of the physical
location or connections to the
network.
• Communication among VLANs
still require a router.
• BUT, only one physical
connection will handle all
routing.

Baessa K. (Mettu University) 03 Switches May 22, 2019 29 / 118

 VLANs VLAN Basics

Basics VI

• A VLAN allows:
• Creation of groups of logically networked devices.
• The devices to act as if they are on their own independent network.
• The devices can share a common infrastructure.
• Each VLAN is a separate broadcast domain.
• Broadcast traffic is controlled.
• Each VLAN is a separate IP subnet.
• To communicate among VLANs, you must use a router

Baessa K. (Mettu University) 03 Switches May 22, 2019 30 / 118

 VLANs VLAN Basics

Benefits of VLANs I
• Security
• Groups with specific security needs are isolated from the rest of the
network.
• Sensitive data can be isolated to one VLAN, separating it from the
others.
• Cost Reduction
• Cost savings result from less need for expensive network upgrades and
more efficient use of existing bandwidth and uplinks.
• Higher Performance
• Dividing flat Layer 2 networks into multiple logical broadcast domains
reduces unnecessary traffic on the network and boosts performance.
• Broadcast Storm Mitigation
• VLAN segmentation prevents a broadcast storm from propagating
throughout the entire network.

Baessa K. (Mettu University) 03 Switches May 22, 2019 31 / 118

 VLANs VLAN Basics

Benefits of VLANs II

• Improved IT Staff Efficiency

• Easier to manage the network because users with similar network
requirements share the same VLAN.
• Simpler Project or Application Management
• Having separate functions makes working with a specialized application
easier.
• For example, an e-learning development platform for faculty.

Baessa K. (Mettu University) 03 Switches May 22, 2019 32 / 118

 VLANs VLAN Basics

VLAN ID Ranges I

• When configured, the number that is assigned to the VLAN becomes

the VLAN ID.
• The numbers to be assigned are divided into two different ranges:
1 Normal Range: 1 — 1005
2 Extended Range: 1006 — 4096
• Each range has its own characteristics.

Baessa K. (Mettu University) 03 Switches May 22, 2019 33 / 118

 VLANs VLAN Basics

VLAN ID Ranges II

Normal Range: 1 – 1005

• Used in small- and medium-sized business and enterprise networks.
• IDs 1002 – 1005: Token Ring and FDDI VLANs.
• IDs 1 and 1002 to 1005 are automatically created and cannot be
removed.
• Configurations are stored within a VLAN database file, called
vlan.dat, located in the flash memory of the switch.
• The VLAN Trunking Protocol (VTP), which helps manage VLAN
configurations between switches, can only learn normal range VLANs
and stores them in the VLAN database file.

Baessa K. (Mettu University) 03 Switches May 22, 2019 34 / 118

 VLANs VLAN Basics

VLAN ID Ranges III

Extended Range: 1006 – 4096

• Enable service providers to extend their infrastructure to a greater
number of customers.
• Some global enterprises could be large enough to need extended range
VLAN IDs.
• Support fewer VLAN features than normal range VLANs.
• Are saved in the running configuration file – not the vlan.dat file.
• VTP does not learn extended range VLANs.

Baessa K. (Mettu University) 03 Switches May 22, 2019 35 / 118

 VLANs VLAN Basics

Types of VLANs I

• Traditionally, two methods of implementing VLANs:

1 Static or Port-Based:
• Ports on a switch are assigned to a specific VLAN.
2 Dynamic
• VLANs created by accessing a Network Management server.
• The MAC address/VLAN ID mapping is set up by the Network
Administrator and the server assigns a VLAN ID when the device
contacts it.

• Today, there is essentially one method of implementing VLANs:

Port-Based.

Baessa K. (Mettu University) 03 Switches May 22, 2019 36 / 118

 VLANs VLAN Basics

Types of Port-Based VLANs I

• Defined by the type of traffic they support or by the functions they

perform.
1 Data VLAN:
• Configured to carry only user-generated traffic.
• A switch could carry voice-based traffic or traffic used to manage the
switch, but this traffic would not be part of a data VLAN.
• A Data VLAN is sometimes referred to as a User VLAN.
2 Default VLAN
• The default VLAN for Cisco switches is VLAN 1.
• VLAN 1 has all the features of any VLAN, except that you cannot
rename it and you can not delete it.
• All the ports on a switch are members of the default VLAN, which is
VLAN 1 for cisco switches.
• By default, Layer 2 control traffic (CDP and STP) is associated with
VLAN 1.
• It is a security best practice to change the default VLAN to a VLAN
other than VLAN 1 (e.g. VLAN 99).

Baessa K. (Mettu University) 03 Switches May 22, 2019 37 / 118

 VLANs VLAN Basics

Types of Port-Based VLANs II

3 Black hole VLAN:
• A security best practice is to define a black hole VLAN to be a dummy
VLAN distinct from all other VLANs.
• All unused switch ports are assigned to the black hole VLAN so that
any unauthorized device connecting to an unused switch port will be
prevented from communicating beyond the switch to which it is
connected.
4 Native VLAN
• An 802.1Q trunk port supports traffic coming from VLANs (tagged
traffic) as well as traffic that does not come from a VLAN (untagged
traffic).
• The 802.1Q trunk port places untagged traffic on the native VLAN.
• Native VLANs are set out in the IEEE 802.1Q specification to
maintain backward compatibility with untagged traffic common to
legacy LAN scenarios.
• It is a best practice to use a VLAN other than VLAN 1 as the native
VLAN.

Baessa K. (Mettu University) 03 Switches May 22, 2019 38 / 118

 VLANs VLAN Basics

Types of Port-Based VLANs III

5 Management VLAN
• A VLAN defined by the network administrator as a means to access the
management capabilities of a switch.
• By default, VLAN1 is management VLAN.
• It is a security best practice to define the management VLAN to be a
VLAN distinct from all other VLANs defined in the switched LAN.
• You do so by configuring and activating a new VLAN interface.
• You assign the management VLAN an IP address and subnet
mask.
• A new switch has all ports assigned to VLAN 1.
• Using VLAN 1 as the management VLAN means that anyone
connecting to the switch will be in the management VLAN.
• That assumes that all ports have not been assigned to another VLAN.
6 Voice VLANs
• This enables switch ports to carry IP voice traffic from an IP phone.

Baessa K. (Mettu University) 03 Switches May 22, 2019 39 / 118

 VLANs Identifying VLANs

Outline

1 Switch Configuration Basics

2 VLANs
VLAN Basics
Identifying VLANs
VLAN Trunking
Configure VLANs and Trunks
VLAN Trunking Protocol(VTP)

3 Inter VLAN communication

Baessa K. (Mettu University) 03 Switches May 22, 2019 40 / 118

 VLANs Identifying VLANs

Basics I

• Switch ports are layer 2–only interfaces that are associated with a
physical port.
• A switch port can belong to only one VLAN if it is an access port or
• all VLANs if it is a trunk port.
• You can manually configure a port as an access or trunk port, or you
can let the Dynamic Trunking Protocol (DTP) operate on a per-port
basis to set the switchport mode.
• DTP does this by negotiating with the port on the other end of the
link.

• There are two different types of links in a switched environment:

Baessa K. (Mettu University) 03 Switches May 22, 2019 41 / 118

 VLANs Identifying VLANs

Basics II

Access ports
• An access port belongs to and carries the traffic of only one VLAN.
• Traffic is both received and sent in native formats with no VLAN
tagging whatsoever.
• Anything arriving on an access port is simply assumed to belong to
the VLAN assigned to the port
• So, what do you think will happen if an access port receives a tagged
packet, like IEEE 802.1Q tagged?
• Remember that access-link devices can’t communicate with devices
outside their VLAN unless the packet is routed.

Baessa K. (Mettu University) 03 Switches May 22, 2019 42 / 118

 VLANs Identifying VLANs

Basics III

Trunk Ports
• A trunk link is a 100- or 1000Mbps point-to-point link between two
switches, between a switch and router, or even between a switch and
server.
• it carries the traffic of multiple VLANs–from 1 to 4,094 at a time

Baessa K. (Mettu University) 03 Switches May 22, 2019 43 / 118

 VLANs VLAN Trunking

Outline

1 Switch Configuration Basics

2 VLANs
VLAN Basics
Identifying VLANs
VLAN Trunking
Configure VLANs and Trunks
VLAN Trunking Protocol(VTP)

3 Inter VLAN communication

Baessa K. (Mettu University) 03 Switches May 22, 2019 44 / 118

 VLANs VLAN Trunking

Trunk I

Baessa K. (Mettu University) 03 Switches May 22, 2019 45 / 118

 VLANs VLAN Trunking

Trunk II

Definition
A trunk is a physical and logical connection between two switches across
which network traffic travels.

Baessa K. (Mettu University) 03 Switches May 22, 2019 46 / 118

 VLANs VLAN Trunking

Trunk III

Baessa K. (Mettu University) 03 Switches May 22, 2019 47 / 118

 VLANs VLAN Trunking

Trunk IV

• A VLAN trunk is an Ethernet point-to-point link between an Ethernet

switch interface and an Ethernet interface on another networking
device, such as a router or a switch, carrying the traffic of multiple
Baessa K. (Mettu University) 03 Switches May 22, 2019 48 / 118
 VLANs VLAN Trunking

Trunk V
• VLANs over the singular link.
• A VLAN trunk allows you to extend the VLANs across an entire
network.
• A VLAN trunk does not belong to a specific VLAN; rather, it serves
as a conduit for VLANs between switches.

Baessa K. (Mettu University) 03 Switches May 22, 2019 49 / 118

 VLANs VLAN Trunking

Trunk VI

Attention!
• It is also important to realize that a trunk link does not belong to a specific
VLAN.
• The responsibility of a trunk link is to act as a conduit for VLANs.
• Between switches and routers.
• Between switches and switches.

Baessa K. (Mettu University) 03 Switches May 22, 2019 50 / 118

 VLANs VLAN Trunking

Trunk VII

Baessa K. (Mettu University) 03 Switches May 22, 2019 51 / 118

 VLANs VLAN Trunking

IEEE 802.1Q Frame Tagging I

• When a frame is placed on a trunk link, information about the VLAN

it belongs to must be added to the frame.
• The process is called 802.1Q VLAN Tagging.
• This is accomplished by using IEEE 802.1Q frame tagging.

• When a switch receives a frame on a port configured in access mode

and destined for a remote device via a trunk link, the switch takes
apart the frame and inserts a VLAN tag, and sends the tagged frame
out the trunk port.
• The VLAN tag field consists of a 16-bit Type field called the
EtherType field and a Tag control information field.
• The EtherType field is set to the hexadecimal value of 0x8100.
• This value is called the tag protocol ID (TPID) value.
Baessa K. (Mettu University) 03 Switches May 22, 2019 52 / 118
 VLANs VLAN Trunking

IEEE 802.1Q Frame Tagging II

• With the EtherType field set to the TPID value, the switch receiving
the frame knows to look for information in the Tag control
information field.
• The Tag control information field contains the following:
• 3 bits of user priority:
• Used to provide fast transmission of Layer 2 frames, like voice traffic.
• 1 bit of Canonical Format Identifier (CFI):
• Enables Token Ring frames to be carried across Ethernet links easily.
• 12 bits of VLAN ID (VID):
• VLAN identification numbers.

Baessa K. (Mettu University) 03 Switches May 22, 2019 53 / 118

 VLANs VLAN Trunking

IEEE 802.1Q Frame Tagging III

Baessa K. (Mettu University) 03 Switches May 22, 2019 54 / 118

 VLANs VLAN Trunking

Trunking Modes I

• VLAN identification is what switches use to keep track of all those

frames as they’re traversing a switch fabric.
• It’s how switches identify which frames belong to which VLANs, and
there’s more than one trunking method.
• A Cisco switch can be configured to support two types of trunk ports:

• IEEE 802.1Q
• ISL (Inter-Switch Link)
• Today only 802.1Q is used.
• Legacy networks may still use ISL.

Baessa K. (Mettu University) 03 Switches May 22, 2019 55 / 118

 VLANs VLAN Trunking

Trunking Modes II

Inter-Switch Link (ISL)

• Inter-Switch Link (ISL) is a way of explicitly tagging VLAN
information onto an Ethernet frame.
• This tagging information allows VLANs to be multiplexed over a
trunk link through an external encapsulation method (ISL),
• which allows the switch to identify the VLAN membership of a frame
over the trunked link.
• ISL routing is pretty versatile and can be used on a switch port,
router interfaces, and server interface cards to trunk a server.

Baessa K. (Mettu University) 03 Switches May 22, 2019 56 / 118

 VLANs VLAN Trunking

Trunking Modes III

IEEE 802.1Q
• The IEEE 802.1Q trunking protocol is the recommended frame
tagging method to use on trunk links.
• IEEE 802.1Q actually inserts a field into the frame to identify the
VLAN
• Assigned a default PVID.
• Supports simultaneous tagged and untagged traffic.
• Untagged traffic:
• Associated with the port default Port VLAN ID (PVID).
• Null VLAN ID traffic belongs to the default PVID.
• Tagged traffic:
• VLAN ID equal to the outgoing port default PVID is sent untagged.
• Null VLAN ID traffic belongs to the default PVID.
• All other traffic is sent with a VLAN tag.

Baessa K. (Mettu University) 03 Switches May 22, 2019 57 / 118

 VLANs Configure VLANs and Trunks

Outline

1 Switch Configuration Basics

2 VLANs
VLAN Basics
Identifying VLANs
VLAN Trunking
Configure VLANs and Trunks
VLAN Trunking Protocol(VTP)

3 Inter VLAN communication

Baessa K. (Mettu University) 03 Switches May 22, 2019 58 / 118

 VLANs Configure VLANs and Trunks

Overview I

Baessa K. (Mettu University) 03 Switches May 22, 2019 59 / 118

 VLANs Configure VLANs and Trunks

Overview II
1 Create the VLANs.
2 Assign switch ports to VLANs statically.
3 Verify VLAN configuration.
4 Enable trunking on the inter-switch connections.
5 Verify trunk configuration.

• Command Syntax:
1 S1 # configure terminal
2 S1 ( config ) # vlan vlan - id
3 S1 ( config - vlan ) # name vlan - name
4 S1 ( config - vlan ) # end

Baessa K. (Mettu University) 03 Switches May 22, 2019 60 / 118

 VLANs Configure VLANs and Trunks

Overview III
• Configure a VLAN

Baessa K. (Mettu University) 03 Switches May 22, 2019 61 / 118

 VLANs Configure VLANs and Trunks

Overview IV

• Assign switch ports to a VLAN

Baessa K. (Mettu University) 03 Switches May 22, 2019 62 / 118

 VLANs Configure VLANs and Trunks

Overview V

• Verify VLAN configuration

Baessa K. (Mettu University) 03 Switches May 22, 2019 63 / 118

 VLANs Configure VLANs and Trunks

Managing VLANs I

• Other show vlan command options

• show vlan name student
• show vlan summary
• show vlan brief
• show interfaces f0/18 switchport
• Remove port VLAN membership.

• Remove VLAN

• Restoring to Factory Defaults:

Baessa K. (Mettu University) 03 Switches May 22, 2019 64 / 118
 VLANs Configure VLANs and Trunks

Managing VLANs II
• To remove all VLAN configuration

Baessa K. (Mettu University) 03 Switches May 22, 2019 65 / 118

 VLANs Configure VLANs and Trunks

Configure a Trunk I

• Command Syntax:
1 S1 # configure terminal
2 S1 ( config ) # interface interface - id
3 S1 ( config - if ) # switchport mode trunk
4 S1 ( config - if ) # switchport trunk native vlan vlan - id
5 S1 ( config - if ) # switchport trunk allowed vlan add vlan -
list
6 S1 ( config - vlan ) # end

Baessa K. (Mettu University) 03 Switches May 22, 2019 66 / 118

 VLANs Configure VLANs and Trunks

Configure a Trunk II

Baessa K. (Mettu University) 03 Switches May 22, 2019 67 / 118

 VLANs Configure VLANs and Trunks

Configure a Trunk III

Baessa K. (Mettu University) 03 Switches May 22, 2019 68 / 118

 VLANs Configure VLANs and Trunks

Common Problems with Trunks

• Native VLAN mismatches:

• Trunk ports are configured with different native VLANs.
• Trunk Mode mismatches:
• One trunk port is configured with trunk mode off and the other with
trunk mode on.
• VLANs and IP Subnets
• End user devices configured with incorrect IP addresses will not have
network connectivity.
• Each VLAN is a logically separate IP subnetwork.
• Devices within the VLAN must be configured with the correct IP
settings.
• Allowed VLANs on trunks:
• The list of allowed VLANs on a trunk does not match on both ends of
the trunk.

Baessa K. (Mettu University) 03 Switches May 22, 2019 69 / 118

 VLANs VLAN Trunking Protocol(VTP)

Outline

1 Switch Configuration Basics

2 VLANs
VLAN Basics
Identifying VLANs
VLAN Trunking
Configure VLANs and Trunks
VLAN Trunking Protocol(VTP)

3 Inter VLAN communication

Baessa K. (Mettu University) 03 Switches May 22, 2019 70 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Concepts I

Baessa K. (Mettu University) 03 Switches May 22, 2019 71 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Concepts II

• The VLAN Trunking Protocol (VTP) allows you to simplify the

management of the VLAN database across multiple switches.

• As the number of switches increases on a small- or medium-sized

business network, the overall administration required to manage
VLANs and trunks in a network becomes a challenge.

Baessa K. (Mettu University) 03 Switches May 22, 2019 72 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Concepts III

Baessa K. (Mettu University) 03 Switches May 22, 2019 73 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Concepts IV

Baessa K. (Mettu University) 03 Switches May 22, 2019 74 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Concepts V

• VTP does not provide a method for trunking between devices.

• Instead, VTP is a Layer 2 messaging protocol that maintains VLAN
configuration consistency by managing the additions, deletions, and
name changes of VLANs across networks.
• VTP helps with VLAN management and although it makes the
configuration and troubleshooting of VLANs easier, it is not required.
• The benefits of VTP include the following:
• VLAN configuration consistency across the network
• Accurate tracking and monitoring of VLANs
• Dynamic reporting of added VLANs across a network

Baessa K. (Mettu University) 03 Switches May 22, 2019 75 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Components I

VTP Domain
• Consists of one or more interconnected switches.
• All switches in a domain share VLAN configuration details using VTP
advertisements.
• Router or Layer 3 switch defines the boundary of domain.

Baessa K. (Mettu University) 03 Switches May 22, 2019 76 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Components II

VTP Modes
• Server:
• The server is where VLANs can be created, deleted, or renamed for the
domain.
• VTP servers advertise VLAN information to other switches in the same
VTP domain.
• Client
• You cannot create, change, or delete VLANs on a VTP client.
• VTP clients Forward advertisements to other clients.
• You must configure VTP Client mode.

Baessa K. (Mettu University) 03 Switches May 22, 2019 77 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Components III

VTP Modes . . .
• Transparent:
• VTP transparent mode switches forward VTP advertisements to VTP
clients and VTP servers, but do not originate or otherwise implement
VTP advertisements.
• VLANs that are created, renamed, or deleted on a VTP transparent
mode switch are local to that switch only.

Baessa K. (Mettu University) 03 Switches May 22, 2019 78 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Components IV

Baessa K. (Mettu University) 03 Switches May 22, 2019 79 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Operation I

Baessa K. (Mettu University) 03 Switches May 22, 2019 80 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Operation II

Baessa K. (Mettu University) 03 Switches May 22, 2019 81 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Operation III

• VTP allows you to separate your network into smaller management

domains to help reduce VLAN management.
• A switch can be a member of only one VTP domain at a time.
• Until the VTP domain name is specified, you cannot create or modify
VLANs on a VTP server, and VLAN information is not propagated
over the network.

Baessa K. (Mettu University) 03 Switches May 22, 2019 82 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Operation IV

Baessa K. (Mettu University) 03 Switches May 22, 2019 83 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Operation V

Baessa K. (Mettu University) 03 Switches May 22, 2019 84 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Operation VI

• For a VTP server or client switch to participate in a VTP-enabled

network, it must be a part of the same domain.
• Domain name propagation uses three VTP components: servers,
clients, and advertisements.

Baessa K. (Mettu University) 03 Switches May 22, 2019 85 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Advertising I

• VTP Frame Structure

• VTP advertisements (or messages) distribute VTP domain name and
VLAN configuration changes to VTP-enabled switches.
• The VTP frame is encapsulated in the same manner as any other
tagged frame.

Baessa K. (Mettu University) 03 Switches May 22, 2019 86 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Advertising II

Baessa K. (Mettu University) 03 Switches May 22, 2019 87 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Advertising III

• VTP Revision Number

• VTP Revision Number (Default Zero):
• The configuration revision number is a 32-bit number that indicates the
level of revision for a VTP frame.
• Each time a VLAN is added or removed, the configuration revision
number is incremented.
• Each VTP device tracks the VTP configuration revision number.
• A VTP domain name change resets the revision number to zero.
• The revision number plays an important role in enabling VTP to
distribute and synchronize VTP domain and VLAN configuration
information.

Baessa K. (Mettu University) 03 Switches May 22, 2019 88 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Advertising IV

Baessa K. (Mettu University) 03 Switches May 22, 2019 89 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Advertising V
• VTP Advertisement Types
1 Summary Advertisement
• Contains the VTP domain name, the current revision number, and
other VTP configuration details.
• Summary advertisements are sent:
• Every 5 minutes by a VTP server or client to inform neighboring
VTP-enabled switches of the current VTP configuration revision
number for its VTP domain.
• Immediately after a configuration change.

Baessa K. (Mettu University) 03 Switches May 22, 2019 90 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Advertising VI
2 Subset Advertisement
• A subset advertisement contains VLAN information.
• Changes that trigger the subset advertisement include:
• Creating or deleting a VLAN.
• Suspending or activating a VLAN.
• Changing the name of a VLAN.
• Changing the MTU of a VLA
3 Request Advertisement:
• A request advertisement is sent to a VTP server.
• The VTP server responds to the client by sending a summary
advertisement followed by a subset advertisement.
• Request advertisements are sent if:
• The VTP domain name has been changed.
• The switch receives a summary advertisement with a higher
configuration revision number than its own.
• A subset advertisement message is missed for some reason.
• The switch has been reset.

Baessa K. (Mettu University) 03 Switches May 22, 2019 91 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP — Server to Client I

Baessa K. (Mettu University) 03 Switches May 22, 2019 92 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP — Server to Transparent to Client

Baessa K. (Mettu University) 03 Switches May 22, 2019 93 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Pruning I
• VTP gives you a way to preserve bandwidth by configuring it to
reduce the amount of broadcasts, multicasts, and unicast packets.
• This is called pruning. VTP pruning enabled switches sends
broadcasts only to trunk links that actually must have the information.

• If Switch A doesn’t have any ports configured for VLAN 5 and a broadcast
is sent throughout VLAN 5, that broadcast wouldn’t traverse the trunk link
to Switch A.
• By default, VTP pruning is disabled on all switches.
• Seems to me this would be a good default parameter.

Baessa K. (Mettu University) 03 Switches May 22, 2019 94 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Pruning II

• When you enable pruning on a VTP server, you enable it for the
entire domain.
• By default, VLANs 2 through 1001 are pruning eligible, but VLAN 1
can never prune because it’s an administrative VLAN.
• VTP pruning is supported with both VTP version 1 and version 2.
• By using the show interface trunk command, we can see that all
VLANs are allowed across a trunked link by default:

Baessa K. (Mettu University) 03 Switches May 22, 2019 95 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Pruning III

• It only takes one command and it is enabled on your entire switched

network for the listed VLANs.
• Let’s see what happens:

Baessa K. (Mettu University) 03 Switches May 22, 2019 96 / 118

 VLANs VLAN Trunking Protocol(VTP)

VTP Pruning IV

Baessa K. (Mettu University) 03 Switches May 22, 2019 97 / 118

 VLANs VLAN Trunking Protocol(VTP)

Configure VTP I

Baessa K. (Mettu University) 03 Switches May 22, 2019 98 / 118

 VLANs VLAN Trunking Protocol(VTP)

Configure VTP II

• Configuration Guidelines:

On the VTP server

• Confirm default setting
• Configure switch as VTP server
• Configure the VTP domain on the VTP server in the network.
• Ensure all switches are in the same VTP protocol version mode.
• Configure VLANs and trunk ports

Baessa K. (Mettu University) 03 Switches May 22, 2019 99 / 118

 VLANs VLAN Trunking Protocol(VTP)

Configure VTP III

On the VTP client

• Confirm default settings
• Configure VTP client mode
• Configure trunks
• Connect to VTP server
• Verify VTP status
• Configure access ports

Baessa K. (Mettu University) 03 Switches May 22, 2019 100 / 118

 VLANs VLAN Trunking Protocol(VTP)

Configure VTP IV

Baessa K. (Mettu University) 03 Switches May 22, 2019 101 / 118

 VLANs VLAN Trunking Protocol(VTP)

Configure VTP V

Baessa K. (Mettu University) 03 Switches May 22, 2019 102 / 118

 VLANs VLAN Trunking Protocol(VTP)

Configure VTP VI

Baessa K. (Mettu University) 03 Switches May 22, 2019 103 / 118

 VLANs VLAN Trunking Protocol(VTP)

Configure VTP VII

Baessa K. (Mettu University) 03 Switches May 22, 2019 104 / 118

 VLANs VLAN Trunking Protocol(VTP)

Configure VTP VIII

Baessa K. (Mettu University) 03 Switches May 22, 2019 105 / 118

 Inter VLAN communication

Outline

1 Switch Configuration Basics

Switch security
Configuring Password Options

2 VLANs
VLAN Basics
Identifying VLANs
VLAN Trunking
Configure VLANs and Trunks
VLAN Trunking Protocol(VTP)

3 Inter VLAN communication

Baessa K. (Mettu University) 03 Switches May 22, 2019 106 / 118

 Inter VLAN communication

Introducing Inter-VLAN Routing I

Baessa K. (Mettu University) 03 Switches May 22, 2019 107 / 118

 Inter VLAN communication

Introducing Inter-VLAN Routing II

Baessa K. (Mettu University) 03 Switches May 22, 2019 108 / 118

 Inter VLAN communication

Introducing Inter-VLAN Routing III

What is Inter-VLAN Routing?

• Each VLAN is a unique broadcast domain.
• Computers on separate VLANs are, by default, not able to
communicate.
• Each VLAN is a unique IP subnetwork.
• To allow VLANs to communicate, we need a router to communicate
among separate broadcast domains and unique IP subnetworks.

• Inter-VLAN routing, then, is a process of forwarding traffic from one

VLAN to another VLAN using a router.

Baessa K. (Mettu University) 03 Switches May 22, 2019 109 / 118

 Inter VLAN communication

Introducing Inter-VLAN Routing IV

Methods
• Traditional Inter-VLAN Routing.
• Router-on-a-stick Inter-VLAN Routing.
• Switch Based Inter-VLAN Routing.

Baessa K. (Mettu University) 03 Switches May 22, 2019 110 / 118

 Inter VLAN communication

Introducing Inter-VLAN Routing V

Traditional Inter-VLAN Routing

• One router interface per VLAN.

Baessa K. (Mettu University) 03 Switches May 22, 2019 111 / 118

 Inter VLAN communication

Introducing Inter-VLAN Routing VI

Router-on-a-stick Inter-VLAN Routing:

• One router interface for all VLANs.

Baessa K. (Mettu University) 03 Switches May 22, 2019 112 / 118

 Inter VLAN communication

Interfaces and Subinterfaces I

• Traditional Inter-VLAN Routing

• Traditional routing requires routers to have multiple physical interfaces
to facilitate inter-VLAN routing.
• Each interface is also configured with an IP address for the subnet
associated with the particular VLAN that it is connected to.
• In this configuration, network devices can use the router as a gateway
to access the devices connected to the other VLANs.

Baessa K. (Mettu University) 03 Switches May 22, 2019 113 / 118

 Inter VLAN communication

Interfaces and Subinterfaces II

• Traditional inter-VLAN routing using physical interfaces does have a
limitation.
• As the number of VLANs increases on a network, the physical approach
of having one router interface per VLAN quickly becomes hindered by
the physical hardware limitations of a router.
• Routers have a limited number of physical interfaces that they can use
to connect to different VLANs.
• It is very expensive to add an Ethernet Interface.
• Router-on-a-stick Inter-VLAN Routing:
• Subinterfaces
• Overcomes the hardware limitation of a router.
• Subinterfaces are software-based virtual interfaces that are assigned to
physical interfaces.
• Each subinterface is configured with its own IP address, subnet mask,
and unique VLAN assignment.
• Connected to a switch trunk link.
• Functionally the same as using the traditional routing model.

Baessa K. (Mettu University) 03 Switches May 22, 2019 114 / 118

 Inter VLAN communication

Interfaces and Subinterfaces III

Create the subinterface

• The syntax for the subinterface is always the physical interface,
followed by a period and a subinterface number.
• The subinterface number is configurable, but it is typically associated
to reflect the VLAN number.
1 R1 ( config ) # interface [ interface ]. nn

Assign it to a VLAN
• Before assigning an IP Address, the interface must to be configured
to operate on a specific VLAN using the proper encapsulation.
1 R1 ( config - subif ) # encapsulation dot1q vlan - id

Baessa K. (Mettu University) 03 Switches May 22, 2019 115 / 118

 Inter VLAN communication

Interfaces and Subinterfaces IV

Assign an IP Address:
• The IP Address assigned here will become the default gateway for
that VLAN.

1 R1 ( config - subif ) # ip address [ address ] [ mask ]

Enable the interface

• Subinterfaces are not enabled individually.
• When the physical interface is enabled, all associated subinterfaces
are enabled.

1 R1 ( config - if ) # no shutdown

Baessa K. (Mettu University) 03 Switches May 22, 2019 116 / 118

 Inter VLAN communication

Interfaces and Subinterfaces V

Configuring Subinterfaces

1 R1 # show ip route

Baessa K. (Mettu University) 03 Switches May 22, 2019 117 / 118

 Inter VLAN communication

Interfaces and Subinterfaces VI

Putting It All Together

Baessa K. (Mettu University) 03 Switches May 22, 2019 118 / 118